5 Replies Latest reply: Sep 24, 2012 2:51 PM by mscarton RSS

    Automagically Switching jsessionid

      Is there a way to have WebLogic 11g automatically switch the jsessionid periodically? or by explicit call?

      The OWASP guidance indicates that the session id should be changed periodically and gives specific guidelines for events that mandate a change. ( [Top 10 2010-A3-Broken Authentication and Session Management|https://www.owasp.org/index.php/Top_10_2010-A3] ).

      So I was wondering whether there was a way to configure the WebLogic application server to generate a new jsessionid in association with a given session either on a periodic basis, on demand or by API call, etc. Best (or worst) case would be to have it assign a different jsessionid when providing each response, so that the same jsessionid was not reused during some period of time.

        • 1. Re: Automagically Switching jsessionid
          Kalyan Pasupuleti-Oracle
          Hi Mark,

          As per my knowledge there is no such option exists in weblogic.

          • 2. Re: Automagically Switching jsessionid
            Faisal Khan
            As Kalyan said, we dnt have such a feature as of now, however if you want additional security, you can secure the cookies following this article..

            • 3. Re: Automagically Switching jsessionid
              Thanks Kalyan and Faisal. That's what I was afraid of, but I was hoping that maybe Oracle had started to respond to the OWASP directives.

              Do you know whether there might be a reasonable way to extend WebLogic to have this capability? Or is this buried in the core of the application server?

              Sorry for belaboring this, but I need to have a comprehensive mitigation for session hijacking. Using the same session id for the life of an extended session seems to me to be a major weakness.

              Again, my thanks and regards.
              • 4. Re: Automagically Switching jsessionid
                Faisal Khan
                Please raise a ticket with oracle support.. your concern is very valid and at least you should let them know so that they can consider...

                • 5. Re: Automagically Switching jsessionid
                  I did, Faisal. They gave me some good feedback, but indicated that the product isn't capable of switching the session identifier token once it has been assigned.

                  It sounds like they've propagated the session id down into lower level objects, likely as a key for indexing lookups. So changing it on the fly isn't an option.

                  At this point, I'm starting to worry that the only adequate mitigation for session hijacking attempts is going with a pure-HTTPS site. And that seems to still have some large performance penalties for page rendering times, particularly on Internet Explorer 8 and 9.

                  My last remaining hope is that we might be able to use some sleight of hand in the Internet-facing load balancer. (Sigh!)

                  Thank you for all of your help. I really appreciate the guidance.